While the federal HIPAA law requires hospitals to closely protect the privacy of patients, the same law allows hospitals to use certain information from health records in their fundraising campaigns — a practice some patients find objectionable.
When Steve Finn got a call on his unlisted telephone number from the University of Washington Medical Center seeking a donation, he was perplexed.
How on earth did the caller get his name and number?
Finn, a 62-year-old retired CPA who lives on Queen Anne Hill, a one-time patient at the UW, knew that a broad federal law known as HIPAA protects patient privacy. So he was astounded when the caller told him the information had come from patient records.
- Power restored after major, hour-long outage in downtown Seattle
- Trump, Clinton win Washington state primary
- Designed in Seattle, this $1 cup could save millions of babies
- Boeing plans hundreds of layoffs in local IT unit
- Walkoff magic! Leonys Martin’s dramatic homer in ninth lifts Mariners
Most Read Stories
It seemed logical to Finn that the law, which bars patient information from being used for commercial purposes, would also bar its use for fundraising. He also wanted to know: What did the caller know about him? Was the caller a “qualified health professional” entitled to his information under the law?
And how could he get off the list?
In fact, HIPAA specifically allows medical centers to use patient information for fundraising activities, explained Richard Meeks, director of the UW’s privacy program.
Information about diagnosis or treatment is off-limits, but federal and state laws allow hospitals, in most cases, to use a patient’s name, address, contact information, dates of hospital service, gender, age and insurance status in fundraising efforts.
Despite being legal, the practice, widely used by other nonprofit hospitals here and across the country, has raised eyebrows before.
In part, that’s because people mistakenly lump health-care fundraising with those annoying commercial telemarketing calls that interrupt dinner, says William McGinly, president and CEO of the Association of Healthcare Philanthropy.
“It is a common misunderstanding,” he said. “Fundraising is a part of health-care operations.”
The UW’s fundraising drive, which began in April and ended early this month, ultimately raised nearly $28,000, said Tina Mankowski, UW spokeswoman.
The money will help fund uncompensated care at Harborview Medical Center, she said, and pay for equipment, services and supplies at the UW Medical Center and UW Medicine’s neighborhood clinics. That might mean sleeper chairs for family members visiting patients, for instance, or books on living with cancer.
“Fundraising is an important part of health care,” Mankowski said. “We are not selling any goods or services — we are a nonprofit raising funds.”
The callers were primarily students under contract to the UW and trained in HIPAA privacy rules, Meeks said.
Although the campaigns have been conducted for several years, Mankowski said, no complaints have been received before now. This year, about 150 former patients of the nearly 6,000 who were solicited opted out of having their names on the fundraising list, she said.
Finn, too, tried to opt out. But he found it wasn’t as easy as he thought it should be.
The script used by the student solicitors included information about a toll-free telephone number to call. But when he did, the telephone voice-mail box said it was full. The next day, he got the same message.
He finally got through, left his name and number, but didn’t get a call back. In frustration, on the third day, he called the UW’s privacy office to complain.
As it turns out, when Finn first went to the hospital, he was almost certainly given a 16-page tome entitled “Joint Notice of Privacy practices of UW Medicine and Certain Other Providers.”
The notice explains how a patient’s data may be used, and notes that phone solicitors don’t have access to “diagnosis or treatment information” and must agree to keep the information they do see confidential.
It also explains how patients can opt out of having their information used for fundraising.
Finn’s visit to the hospital’s emergency room after an accident was rushed. “Like I was reading the fine print!” at the time, he said.
If he had read the notice, he might have realized opting out isn’t as simple as checking a box. Like most hospitals, the UW doesn’t allow for an instant “no.” Patients must write a letter to the privacy office.
Finn said he was disturbed because HIPAA bars using patient information for commercial purposes.
“Excuse me, but raising millions of dollars to support UW — a commercial enterprise hiding behind a not-for-profit mask — certainly sounds like a bending of the rules to suit a purpose,” he said. “You just feel as though your privacy is being violated. … Just because HIPAA might allow UW to do this does not make it right.”
McGinly, of the philanthropy association, said health-care fundraising is not a commercial use of patient information. The list of prospective donors is used only by hospitals — almost all nonprofit — to raise money for themselves, and is never traded or sold.
“If [a business] is selling medical devices, they cannot come in and buy this list.”
When HIPAA first began, some medical centers allowed patients to easily opt out at check-in, McGinly said, and 20 to 30 percent did so. As a result, hospitals never got a chance to make their pitch, he said.
If a health-care fundraiser gets a chance to explain how donations would benefit its programs, “an awful lot of people will say ‘Yes, I’d like to know more about that,’ ” he said, and many will give.
Carol M. Ostrom: 206-464-2249 or email@example.com